TorqueTorque

Search docs

Search Torque documentation pages & sections

Connect OAuth

Torque Connect is the v1 user consent gate for embedded wallets and third-party execute. Your app starts OAuth; the user approves scopes on a hosted screen; you exchange the authorization code for a delegated JWT and call POST /execute/**. Business API keys provision wallets and read data — they do not sign user transactions.

Prerequisites

  • Business API key from developers.torque.fi (server only).
  • App URL registered in portal Settings → Cash-Out Setup (callback https://yourapp.com/torque/connect/callback).
  • End-user wallet provisioned via Integrator Wallets when building embedded fintech flows.

OAuth Flow

WhoAction
Your serverPOST /connect/authorize/session with redirect_uri, PKCE, and optional externalUserId
UserApproves scopes on hosted Connect consent screen
Your serverCallback at https://yourapp.com/torque/connect/callback receives ?code=…
Your serverPOST /connect/token → delegated JWT
Your serverPOST /execute/** with delegated JWT (never sk_live_… for user txs)

Test before launch: portal Settings → enable test cash-out (callback https://developers.torque.fi/connect/callback).

1. Authorize Session

authorize-session.sh
export TORQUE_KEY="sk_live_…"

curl -sS -X POST "https://app.torque.fi/api/v1/connect/authorize/session" \
  -H "Authorization: Bearer $TORQUE_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "redirectUri": "https://yourapp.com/torque/connect/callback",
    "codeChallenge": "<pkce_challenge>",
    "codeChallengeMethod": "S256",
    "externalUserId": "your-user-id"
  }' | jq '.authorizeUrl'

Redirect the user to authorizeUrl. Use PKCE on the server; never expose sk_live_… to the browser.

2. Exchange Code

connect-token.sh
curl -sS -X POST "https://app.torque.fi/api/v1/connect/token" \
  -H "Authorization: Bearer $TORQUE_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "<from_callback>",
    "redirectUri": "https://yourapp.com/torque/connect/callback",
    "codeVerifier": "<pkce_verifier>"
  }' | jq '.accessToken, .expiresIn'

The returned accessToken is the delegated JWT for execute routes.

3. Execute

execute-transfer.sh
export DELEGATED_JWT="<accessToken from /connect/token>"

curl -sS -X POST "https://app.torque.fi/api/v1/execute/transfers" \
  -H "Authorization: Bearer $DELEGATED_JWT" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{ ... prepared transfer body ... }'

Route catalog and idempotency: Actions API, Execute Idempotency.

Integration Profiles

Torque supports multiple partner shapes. Profile B uses POST /connect/confirm /connect/execute. Profiles C/D use the OAuth flow above. See Authentication and Actions: cash-out and execute.

SDKs: torque-connect, torque-actions, @torquefi/react TorqueConnectButton.

Questions or corrections? hello@torque.fi